Cybercriminals are currently mass mailing millions of emails impersonating eBay and PayPal in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on any of them, user are exposed to the client-side exploits served by the Black Hole exploit kit.

More details:

Screenshot of the spamvertised PayPal themed email:

Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:

Upon successful client-side exploitation, the campaign drops MD5: 96f7c9d231bc5835e4a7c07bc94c5b4a on the affected hosts, currently detected by 2 out of 41 antivirus scanners as UDS:DangerousObject.Multi.Generic; WS.Reputation.1

Based on these observations, we can easily conclude that a single cybercriminal or a gang of cybercriminals is systematically introducing undetected malicious executables and rotating the client-side exploits serving URLs, next to impersonating popular brands in an attempt to socially engineer users into interacting with these malicious emails.

This is the second PayPal/eBay themed malicious campaign that we’ve intercepted and profiled in recent months. We predict that due to the obvious high click-through rates thanks to the systematic rotation of the malicious domains and impersonated brands, we’ll see more campaigns abusing their trusted Web reputation.